1
Blockchain Privacy, Security,
Compliance and Regulation
Session 109, Wednesday, February 13, 2019
David Houlding CISSP CIPP
Principal Healthcare Lead
Microsoft
Mitch Parker CISSP
Executive Director, Information
Security and Compliance,
Indiana University Health
Dan Bowden
VP and CISO
Sentara Healthcare
2
David Houlding
Mitch Parker
Dan Bowden
Have no real or apparent conflicts of interest to report.
Conflict of Interest
3
1. Healthcare Security Landscape
2. Privacy
3. Security
4. Adequacy
5. Compliance
6. AI and Blockchain for Cybersecurity
7. Q&A
Agenda
4
Mitigate privacy risks with blockchain, and learn
how to use blockchain to improve privacy
Discover what security blockchain provides, and
what remains that you need to take care of
Manage new security risks from connecting
multiple healthcare organizations with blockchain
Comply with regulations and data protection laws
Advance AI for cybersecurity using blockchain
Learning Objectives
5
All of these have the commonality of reducing either the
confidentiality, integrity, or availability of systems or data
Breaches are the unauthorized or unintended use of data
Ransomware prevents access via encryption
DDoS prevents access by removing availability
Privacy Storms perhaps the most prevalent
Companies have been sharing Personal Data without
explicit consent millions of records exposed
This is exactly what GDPR was designed to address
HIPAA also requires consent
The bad behavior of numerous companies during 2018 has
brought this to light for consumers
Breaches, Ransomware, DDoS, Privacy
Storms, etc.
6
Information being shared without the consent of the Natural
Persons that they describe
Information not being protected to transparent and accountable
standards
Companies assuming by default they can share Personal Data
and getting away with it because there is no way to prevent it
Natural Persons not being empowered to determine who and
where they can share data with and what happens downstream
It’s not about disallowing sharing, it’s about giving people the right
to determine who they can share with, and explaining to them
clearly what will happen with their data
Give them the right to make informed decisions!
What are the privacy risks?
7
Laws GDPR, California Consumer Privacy Act (CCPA), other
international derivatives
Issue: How do you enforce these?
Issue: How do you even know if companies are doing all
that is needed to abide?
Reassuring Users demonstrating that companies have
implemented technologies that can enforce stricter control over
privacy
Empowering Users - provide them environments that have the
required legal and technical protections, plus gives them the
option to market and use their data their way
Blockchain is useful here to record and audit transactions
Smart Contracts are also excellent for enforcing terms and
conditions
How do we mitigate this?
8
1. What problem is being solved?
Non-functional requirements
2. Functional requirements:
throughput, capacity, security,
etc.
3. Build vs. Buy vs. Both
4. Map requirements, start
designing
** don’t worry about the pic, Dan is
a believer, just works with a critical
eye…
Blockchain: C.I.A.
9
Risk Assessment is Key
Test and Validate (Type, Chain, Protocol)
“The facts” of blockchain
Example: Decentralization: is it really decentralized?, and is
it going to be fast enough?
Private Systems: Invitation Only vs. Permissioned Systems:
Security and Control
In healthcare, we’re more likely to work with each other
under our own, true identities
“Be Prepared”…to BYOS (bring your own security) when
necessary
Do the same work you would for any other system
Blockchain: Confidentiality
10
Theoretically Tamperproof (immutable)
Cryptographic fingerprint (hash) unique to each block
Consensus protocol by which nodes agree on shared
history
Enabler for compliance efforts (audit evidence)
Source for security and activity: monitoring, logging,
alerting
Blockchain: Integrity
11
Infrastructure is Key
Picking a Type (Public, Private, Permissioned)
Picking a Chain (Ethereum, Hyperledger)
Database Architecture: decisions, decisions, decisions…
Picking Consensus Protocols
Hash’s take a lot of computing time, and power
Picking the right Type, Chain, Protocol for the use case
Protocol should support functionality objectives
Multiple chains? Running different protocols?
Permissioned blockchains likely require faster
transactions
Models based on cryptocurrency are likely
unsustainable for enterprise use, and Permissioned
blockchains
Blockchain: Availability
12
Breaches or other security
incidents would tarnish and could
impede or derail blockchain
initiatives
Security risks with business
associates are well understood
Blockchains have similar risks
across the consortiums
Recommended Approach
1. Proactive risk assessment
2. Identification of weak links, and remediation as needed
3. Ensure adequacy of security and risk mitigation
4. Build trust, pave the way for success
Adequacy of Security
13
Types of data on blockchain
PII
PHI
Location of
blockchain nodes
Where you start,
and how you expect to grow
Involve your compliance team early in
your blockchain initiative
Compliance
14
Data added to blockchain
is replicated across copies
of the shared ledger,
across blockchain nodes
Blockchain nodes can
exist across multiple
regulatory or data
protection law jurisdictions
What types of data are you storing on your blockchain?
Where are your blockchain nodes located?
How will your blockchain grow: data types, and geographically?
Data Sovereignty
15
Right to be Forgotten
Some data protection laws
enforce individuals right to be
forgotten
Blockchain is immutable
Keep PII / PHI off of the
blockchain in secure
enterprise systems where
possible
Enable compliance with data protection
laws
16
Opportunities to Advance AI for
Cybersecurity with Blockchain
17
D
avid Houlding CISSP CIPP
Mitch Parker
CISSP
Dan Bowden
Principal Healthcare Lead
Executive Director, Information
Security and Compliance
VP and CISO
Microsoft
Indiana University Health
Sentara Healthcare
David.Houlding@Microsoft.com
mparker17@IUHealth.org
dsbowden@Sentara.com
LinkedIn.com/in/DavidHoulding
LinkedIn.com/in/Mitch
-p-
95a9a04/
LinkedIn.com/in/deltasbravo/
@DavidHoulding
@MitchParkerCISO
@uitdanbowden
Questions?
Please complete the online session evaluation